@soandos, that's not necessarily true. The file may be designed to exploit the torrent-client when it hashes it to check that it's good; it can also be designed to exploit the operating-system when it reads the file to produce a thumbnail or extract metadata.
–
SynetechJul 5 '12 at 17:41

2

@IMB, which file is the antivirus flagging? Are the positive reviews from real people or are they obviously generated/copy-pasted?
–
SynetechJul 5 '12 at 17:41

15 Answers
15

TL;DR

An AVI file is a video, and therefore not executable, so the operating system can/will not run the file. As such, it cannot be a virus in its own right, but it can indeed contain a virus.

History

In the past, only executable (i.e., "runnable") file would be viruses. Later, Internet worms started using social-engineering to trick people into running viruses. Specifically, they would rename an executable to include other extensions like .avi, .jpg, to trick the user into thinking it is a media file and run it. For example, an email client may only display the first dozen or so characters of the attachment, so by naming the file something like "FunnyAnimals.avi .exe", the user sees what looks like a video and runs it and gets infected.

This was not only social-engineering (tricking the user), but also an early exploit. It exploited the limited display of filenames of email clients to pull of its trick.

Technical

Later, more advanced exploits came on. Malware writers would examine a disassembled listing of a program and look for certain exploitable instructions. These instructions often take the form of some sort of user input. For example, a login dialog box on an OS or web-site may not perform error-checking and except the user to enter only appropriate data. If you then enter data that it does not expect (or in most cases, too much data), then you can end up putting the data in part of the memory that it should not be. Normally, the user-data should be contained only in a variable, but by exploiting poor error-checking and memory-management, it is possible to put it in a part of memory that can be executed. A common, and well-known method is the buffer-overflow which puts more data in the variable than it can handle, thus overwriting other parts of memory.

Media files are the same. They can be made so that they contain a bit of machine code and exploit the viewer program so that the machine code ends up running. What's worse with media files is that unlike a login which is obviously bad (e.g., username: johndoe234AUI%#639u36906-q1236^<>3;'k7y637y63^L:l,763p,l7p,37po[33p[o7@#^@^089*(^#)360as][.;][.][.>{"{"#:6326^), a media file can be made so that it actually contains proper, legitimate media that is not even corrupt and so looks completely legitimate and goes utterly undetected until the infection's effects take place.

Yes, media files (and for that matter, any file) can contain a virus by exploiting vulnerabilities in the program that opens/views the file. The problem is that exploits are fragile. They usually only affect one media player or another as opposed to all players, and even then, they are not guaranteed to work for different versions of the same program (that's why operating systems issue updates to patch vulnerabilities). Because of this, malware writers usually only bother to spend their time cracking systems/programs in wide use or of high value (e.g., Windows, bank systems, etc.) This is particularly true since hacking has gained in popularity as a business with criminals trying to get money and is no longer just the domain of nerds trying to get glory.

Application

If your video file is infected, then it will likely only infect you if you happen to use the media player(s) that it is specifically crafted to exploit. If not, then it may crash, fail to open, play with corruption, or even play just fine (which is the worst because then gets flagged as okay and gets spread to others who may get infected).

Anti-malware programs usually use signatures and/or heuristics to detect malware. Signatures look for patterns of bytes in the files that usually correspond to instructions in well-known viruses. The problem is that because of polymorphic viruses that can change each time they reproduce, signatures become less effective. Heuristics observe behavior patterns like editing specific files or reading specific data. These usually only apply once the malware is already running (but can be more effective than signatures).

In both cases, anti-malware programs can, and do, report false-positives.

Obviously the most important step in computing safety is to get your files from trusted sources. If the torrent you are using is from somewhere you trust, then presumably it should be okay. If not, then you may want to think twice about it, especially since there are groups who purposely release torrents containing fakes or even malware.

Good overview. There were some well-known exploits in the past where the payload was delivered as a GIF image file. The keywords for more information are: "buffer overflow exploit arbitrary code execution"
–
horatioJul 5 '12 at 20:27

3

@horatio, I hadn't heard about a GIF exploit (unless you are referring to the GDI vulnerability), but I know the WMF exploit was huge news.
–
SynetechJul 5 '12 at 20:48

I won't say it's impossible, but it would be difficult. The virus writer would have to craft the AVI to trigger a bug in your media player, and then somehow exploit that to run code on your operating system -- without knowing what media player or OS you are running. If you keep your software up to date, and/or if you run something other than Windows Media Player or iTunes (as the biggest platforms, they will be the best targets), you should be pretty safe.

However, there is a related risk that is very real. Movies on the internet these days use a variety of codecs, and the general public doesn't understand what a codec is -- all they know is "it's something I sometimes have to download so the movie will play". This is a genuine attack vector. If you download something and are told "to view this, you need the codec from [some website]", then we very sure you know what you're doing because you could infect yourself.

An avi file extension is not a guarantee that the file is a video file. You could get any .exe virus and rename it to .avi(this makes you download the virus, what is half of the path to infect your computer). If there are any exploit open on your machine that allow the virus to run, then you would be affected.

If you think it is a malware, just stop download and delete it, never execute it before an antivirus scan.

-1 This is not how an .avi would likely infect you - even if it were an .exe renamed to .avi, it would not execute as an executable when you opened it, unless you were stupid enough to rename it to .exe beforehand.
–
BlueRajaJul 5 '12 at 20:20

2

Tranferring viruses to a user's machine is not the hardest part, it's a completely trivial part. You can just rename the .exe to .jpg and include it in a web page and it will be tranferred when the user visits your page. The hardest part of infection is doing the first code execution.
–
MatsTJul 6 '12 at 9:57

2

@BlueRaja: I actually saw an infection happen to a colleague's computer with a .avi file, and reproduced it myself on a VM. She had downloaded a zip that contained a couple of files, one with an AVI extension, and the other a batch script. Opening the AVI didn't work, so she tried opening the script. The script had code to run the "AVI" from the command line as an executable, and you can guess what happened next (the virus encrypted all data in her user directory after changing the password, and then demanded $25 as a penalty for acting stupid).
–
HippoJul 6 '12 at 13:05

2

@Hippo that is rather a poor example, because the actual virus -- the scripts in this case -- came with an AVI is irrelevant to the fact that AVI can not on it's own infect your computer, considering that most computers and preferred targets are connected to the internet the script could simply download the virus from the web and again, if you can get someone to run a 'script' then why not put virus there in the first place ? –
–
omeidJul 7 '12 at 9:06

2

but any other file or extension would have the same impact if any.
–
omeidJul 8 '12 at 2:55

It's possible, yes, but very unlikely. You are more likely to try and view a WMV and have it auto-load a URL or ask you to download a license, which in turn pops up a browser window which could exploit your machine if it's not fully patched.

.avi (or .mkv for that matter) are containers and support inclusion of a variaty of media - multiple audio/video streams, subtitles, dvd-like menu navigation etc. There is nothing preventing malicious executable content being included either but it will not be run unless in scenarios Synetech described in his answer

Still, there is one commonly exploted angle left out. Given a variety of codecs available and no restrictions on including them in container files, there are common protocols to prompt a user for installing the necessary codec and it doesn't help that media players may be configured to automatically attempt codec lookup and installation. Ultimately codecs are executable (minus a small array of ones that are plugin-based) and could contain malicious code.

My Avast Antivirus just informed me that there was a trojan embedded in one of my downloaded movie AVIs. When I tried to quarantine it, it said the file is too big and cannot be moved, so I had to delete it instead.

The virus is called WMA.wimad [susp] and is apparenty a medium threat virus that does some sort of browser hijack stuff. Not exactly system breaking, but it does prove that you can get viruses from AVI files.

If the download isn't complete yet, wait before it completes before you decide what to do. When the download is only partially complete, the missing parts of the file are essentially noise and quite prone to produce false positives when checked for malware.

As @Synetech explained in detail, it's possible to spread malware through video files, possibly before the download even finishes. But that it's possible doesn't mean that it's likely. From my personal experience, the odds of a false positive during an ongoing download are much higher.

> The odds of a false positive during an ongoing download are much higher. I don't know about "much", but it's certainly possible since the incomplete file may have a lot of nulls which could just happen to be next to a bit of normally innocuous bytes that end up happening to look like bad machine code (at least until the nulls are overwritten with the actual data).
–
SynetechJul 5 '12 at 20:07

2

On the other hand, preview images in Windows Explorer are generated by your video-player of choice. If this player is the one that the virus exploits, there's the possiblity of catching the virus just by opening the file's folder in explorer! In this case, you want to catch the virus before you finish downloading the file. There have been viruses that spread like this in the past.
–
BlueRajaJul 5 '12 at 20:23

@Synetech: I have no data about this, but I know at least 20 people who got a false alarm from an incomplete torrent download. While I read that it's possible, I know nobody that got his computer infected by an actual video file.
–
DennisJul 5 '12 at 20:24

1

@BlueRaja, yup, that's what I warned soandos about above. However, for most common media files, it is Windows/WMP that generates the preview, not a third-party program (most novices don't have FFDShow installed; at least not if they don't install all those nasty, god-forsaken mega codec packs).
–
SynetechJul 5 '12 at 20:32

1

@BlueRaja, I cannot find any information on that. Can you please find a source for that. I only use the portable, so I have never seen VLC generating thumbnails. Further, one would think that it would generate thumbnails for every type of video that it can play and is associated with, including FLV, MKV, etc. yet it does not, hence programs like Icaros. In fact, it seems that there are plans to implement a VLC preview handler, but that has been delayed.
–
SynetechJul 5 '12 at 20:42

Having spent time assisting users resolve malware issues, I can testify that usual exploitation mechanism used by scammers is more social than technical.

The file is simply named as *.avi.exe and the default setting in windows does not reveal common file extensions. The executable file is simply assigned a AVI file icon. This is similar to tactics used to distribute *.doc.exe viruses where the file has winword's icon.

I have also observed dodgy tactics such as long file names being used in p2p distribution, so the client displays only partial names in the file list.

Using shoddy files

If you need to use the file, always use a sandbox that is configured to stop outgoing internet connections. Windows firewall is badly configured to allow outgoing connections by default. Exploitation is an action, which like any action always has a motivation. Usually, it's performed to siphon browser passwords or cookies, license and transfer the contents to an external resource(such as FTP) owned by an attacker. Hence, if you use a tool such as sandboxie, disable outgoing internet connections. If you use a virtual machine ensure that that it contains no sensitive information and always block outgoing internet access using a firewall rule.

If you do not know what you're doing, don't use the file. Be safe and do not take risks that are not worth taking.

Note, that page does not actually implement an exploit to infect a system, it only hides some data in an image file using steganography (in this case it’s malware, but it could as well be anything). The code does not actually run, it is simply hidden. It does accomplish the goal of getting the code on the target system, but then it would need some other method of being run.
–
SynetechJul 6 '12 at 5:14

AVI files won't be infected with virus. When you download movies from a torrent, instead of AVI, if the movie is in a RAR package or it is as an EXE file, then surely there is a chance of virus in it.

Some of them ask you to download an additional codec from some website to view the movie. These are the suspect ones. But if it is AVI, then you can surely give iy a try playing it in your video player. Nothing will happen.

could merely un-raring the file give you a virus?
–
user3183Aug 19 '09 at 23:03

@user3183, possibly. The file may be designed to exploit a vulnerability in WinRAR/7-zip/etc.
–
SynetechJul 6 '12 at 5:15

@Synetech: the likelihood of that is just the same as the likelihood of exploiting a vulnerability in your media player, which is to say much less likely than an .avi.exe exploit.
–
Lie RyanJul 6 '12 at 10:41

1

@LieRyan, exactly. There are enough different archive programs and versions of the same that the target surface area is (too) large. For glory-hounds, it may be worth the effort, but for business-hackers, it is better to target the OS.
–
SynetechJul 6 '12 at 15:48

AVI files cannot have a virus if they are video files. While downloading your browser keeps the download in its own format that is why the antivirus detects it as a virus. When downloading the AVI file make sure after downloading the file is run in a video player if it is an invalid file then it will not play and no prices for guessing it will be a virus then.

If you try to double click and run it directly if there is a slight chance of virus then it will come out. Take precautions and you don't need antivirus software.